RocketChat · yash-rajpal · May 28, 2026 · Jun 9, 2026 · Jun 11, 2026 · Jun 15, 2026
diff --git a/.changeset/breezy-parts-kiss.md b/.changeset/breezy-parts-kiss.md
@@ -0,0 +1,31 @@
+---
+'@rocket.chat/web-ui-registration': major
+'@rocket.chat/model-typings': major
+'@rocket.chat/core-typings': major
+'@rocket.chat/rest-typings': major
+'@rocket.chat/passport-x': major
+'@rocket.chat/models': major
+'@rocket.chat/i18n': major
+'@rocket.chat/meteor': major
+---
+
+## Phishing-Resistant Multi-Factor Authentication
+
+Introduces a more secure and reliable server-side OAuth authentication flow.
+
+### What’s New
+
+- **Improved OAuth login security**  
+  OAuth authentication now happens fully on the server, reducing the risk of token theft, phishing attacks, and client-side credential interception.
+
+- **Built-in CSRF, state validation, and PKCE protection**  
+  OAuth logins now include stronger protection against CSRF attacks, request tampering, and authorization code interception through secure state validation and PKCE support.
+
+- **Improved two-step verification with OAuth logins**  
+  Users with email or TOTP two-factor authentication enabled will now be asked to complete 2FA even when signing in with providers like Google, GitHub, GitLab, and others.
+
+- **Improved mobile & desktop app login**  
+  Mobile and desktop apps now support a smoother and more secure deep-link OAuth login flow.
+
+- **A new setting to enable/disable new OAuth Flow**
+  Enable this new setting `Accounts_OAuth_Use_Modern_Flow` to use all of the above mentioned features.
diff --git a/.changeset/flat-poets-cheat.md b/.changeset/flat-poets-cheat.md
@@ -0,0 +1,28 @@
+---
+'@rocket.chat/web-ui-registration': minor
+'@rocket.chat/model-typings': minor
+'@rocket.chat/core-typings': minor
+'@rocket.chat/rest-typings': minor
+'@rocket.chat/desktop-api': minor
+'@rocket.chat/models': minor
+'@rocket.chat/i18n': minor
+'@rocket.chat/meteor': minor
+---
+
+## Phishing-Resistant Multi-Factor Authentication
+
+Introduces a more secure and reliable server-side OAuth authentication flow.
+
+### What’s New
+
+- **Improved OAuth login security**  
+  OAuth authentication now happens fully on the server, reducing the risk of token theft, phishing attacks, and client-side credential interception.
+
+- **Built-in CSRF, state validation, and PKCE protection**  
+  OAuth logins now include stronger protection against CSRF attacks, request tampering, and authorization code interception through secure state validation and PKCE support.
+
+- **Improved two-step verification with OAuth logins**  
+  Users with email or TOTP two-factor authentication enabled will now be asked to complete 2FA even when signing in with providers like Google, GitHub, GitLab, and others.
+
+- **Improved mobile & desktop app login**  
+  Mobile and desktop apps now support a smoother and more secure deep-link OAuth login flow.
diff --git a/apps/meteor/app/2fa/server/code/EmailCheck.ts b/apps/meteor/app/2fa/server/code/EmailCheck.ts
@@ -10,7 +10,7 @@ import * as Mailer from '../../../mailer/server/api';
 import { settings } from '../../../settings/server';
 
 export class EmailCheck implements ICodeCheck {
-	public readonly name = 'email';
+	public readonly name: string = 'email';
 
 	private getUserVerifiedEmails(user: IUser): string[] {
 		if (!Array.isArray(user.emails)) {
@@ -145,6 +145,6 @@ ${t('If_you_didnt_try_to_login_in_your_account_please_ignore_this_email')}
 
 	public async maxFaildedAttemtpsReached(user: IUser) {
 		const maxAttempts = settings.get<number>('Accounts_TwoFactorAuthentication_Max_Invalid_Email_Code_Attempts');
-		return (await Users.maxInvalidEmailCodeAttemptsReached(user._id, maxAttempts)) as boolean;
+		return Users.maxInvalidEmailCodeAttemptsReached(user._id, maxAttempts);
 	}
 }
diff --git a/apps/meteor/app/2fa/server/code/EmailCheckForOAuth.ts b/apps/meteor/app/2fa/server/code/EmailCheckForOAuth.ts
@@ -0,0 +1,38 @@
+import type { IUser } from '@rocket.chat/core-typings';
+import { TwoFactorChallenges } from '@rocket.chat/models';
+import { Meteor } from 'meteor/meteor';
+
+import { EmailCheck } from './EmailCheck';
+
+export class EmailCheckForOAuth extends EmailCheck {
+	public override readonly name = 'email-oauth';
+
+	public readonly method = 'email';
+
+	public async sendTwoFactorChallenge(user: IUser): Promise<string> {
+		const challengeId = await TwoFactorChallenges.createTwoFactorChallenge(user._id, 'email');
+		await this.sendEmailCode(user);
+		return challengeId;
+	}
+
+	public async verifyEmailTwoFactorChallenge(user: IUser, challengeId: string, code: string): Promise<boolean> {
+		const challenge = await TwoFactorChallenges.findOneByPendingChallengeId(challengeId);
+		if (!challenge) {
+			return false;
+		}
+
+		if (challenge.expireAt && challenge.expireAt < new Date()) {
+			throw new Meteor.Error('error-challenge-expired', 'challenge expired');
+		}
+
+		const isCodeValid = await this.verify(user, code);
+
+		if (!isCodeValid) {
+			return false;
+		}
+
+		await TwoFactorChallenges.removeByPendingChallengeId(challengeId);
+
+		return true;
+	}
+}
diff --git a/apps/meteor/app/2fa/server/code/TOTPCheck.ts b/apps/meteor/app/2fa/server/code/TOTPCheck.ts
@@ -5,7 +5,7 @@ import { settings } from '../../../settings/server';
 import { TOTP } from '../lib/totp';
 
 export class TOTPCheck implements ICodeCheck {
-	public readonly name = 'totp';
+	public readonly name: string = 'totp';
 
 	public isEnabled(user: IUser): boolean {
 		if (!settings.get('Accounts_TwoFactorAuthentication_By_TOTP_Enabled')) {

diff --git a/apps/meteor/app/2fa/server/code/TOTPCheckForOAuth.ts b/apps/meteor/app/2fa/server/code/TOTPCheckForOAuth.ts
@@ -0,0 +1,36 @@
+import type { IUser } from '@rocket.chat/core-typings';
+import { TwoFactorChallenges } from '@rocket.chat/models';
+import { Meteor } from 'meteor/meteor';
+
+import { TOTPCheck } from './TOTPCheck';
+
+export class TOTPCheckForOAuth extends TOTPCheck {
+	public override readonly name = 'totp-oauth';
+
+	public readonly method = 'totp';
+
+	public async sendTwoFactorChallenge(user: IUser): Promise<string> {
+		return TwoFactorChallenges.createTwoFactorChallenge(user._id, 'totp');
+	}
+
+	public async verifyEmailTwoFactorChallenge(user: IUser, challengeId: string, code: string): Promise<boolean> {
+		const challenge = await TwoFactorChallenges.findOneByPendingChallengeId(challengeId);
+		if (!challenge) {
+			return false;
+		}
+
+		if (challenge.expireAt && challenge.expireAt < new Date()) {
+			throw new Meteor.Error('error-challenge-expired', 'challenge expired');
+		}
+
+		const isCodeValid = await this.verify(user, code);
+
+		if (!isCodeValid) {
+			return false;
+		}
+
+		await TwoFactorChallenges.removeByPendingChallengeId(challengeId);
+
+		return true;
+	}
+}
diff --git a/apps/meteor/app/2fa/server/code/index.ts b/apps/meteor/app/2fa/server/code/index.ts
@@ -63,8 +63,8 @@ export function getFingerprintFromConnection(connection: IMethodConnection): str
 	return crypto.createHash('md5').update(data).digest('hex');
 }
 
-function getRememberDate(from: Date = new Date()): Date | undefined {
-	const rememberFor = parseInt(settings.get('Accounts_TwoFactorAuthentication_RememberFor') as string, 10);
+export function getRememberDate(from: Date = new Date()): Date | undefined {
+	const rememberFor = settings.get<number>('Accounts_TwoFactorAuthentication_RememberFor');
 
 	if (rememberFor <= 0) {
 		return;
@@ -126,6 +126,20 @@ function isAuthorizedForToken(connection: IMethodConnection, user: IUser, option
 	return true;
 }
 
+export async function rememberAuthorizationByToken(token: string, userId: IUser['_id'], connection: IMethodConnection): Promise<void> {
+	const user = await Users.findOneByIdAndLoginHashedToken(userId, token, { projection: { _id: 1, services: 1 } });
+	if (!user) {
+		throw new Meteor.Error('error-user-not-found', 'user not found');
+	}
+
+	const expires = getRememberDate();
+	if (!expires) {
+		return;
+	}
+
+	await Users.setTwoFactorAuthorizationHashAndUntilForUserIdAndToken(user._id, token, getFingerprintFromConnection(connection), expires);
+}
+
 async function rememberAuthorization(connection: IMethodConnection, user: IUser): Promise<void> {
 	// Same dual-transport resolution as `isAuthorizedForToken`: DDP reads from `Accounts._accountData`
 	// via `_getLoginToken`, REST falls back to the token carried on `connection.token`.
@@ -156,7 +170,7 @@ interface ICheckCodeForUser {
 	connection?: IMethodConnection;
 }
 
-const getSecondFactorMethod = (user: IUser, method: string | undefined, options: ITwoFactorOptions): ICodeCheck | undefined => {
+export const getSecondFactorMethod = (user: IUser, method: string | undefined, options: ITwoFactorOptions): ICodeCheck | undefined => {
 	// try first getting one of the available methods or the one that was already provided
 	const selectedMethod = getMethodByNameOrFirstActiveForUser(user, method);
 	if (selectedMethod) {
@@ -184,7 +198,6 @@ export async function checkCodeForUser({ user, code, method, options = {}, conne
 	}
 
 	let existingUser: IUser | null;
-
 	if (typeof user === 'string') {
 		existingUser = await getUserForCheck(user);
 	} else {

@@ -144,7 +144,7 @@ const rateLimiterDictionary: Record<
 	}
 > = {};
 
-const generateConnection = (
+export const generateConnection = (
 	ipAddress: string,
 	httpHeaders: Record<string, any>,
 ): {

@@ -45,7 +45,8 @@ import './v1/mailer';
 import './v1/teams';
 import './v1/moderation';
 import './v1/uploads';
-
+import './v1/twoFactorChallenges';
+import './v1/loginCode';
 // This has to come last so all endpoints are registered before generating the OpenAPI documentation
 import './default/openApi';
 

@@ -15,6 +15,7 @@ import {
 	validateInternalErrorResponse,
 } from '@rocket.chat/rest-typings';
 import { escapeRegExp } from '@rocket.chat/string-helpers';
+import { Meteor } from 'meteor/meteor';
 
 import { MAX_CUSTOM_SOUND_SIZE_BYTES, CUSTOM_SOUND_ALLOWED_MIME_TYPES } from '../../../../lib/constants';
 import { SystemLogger } from '../../../../server/lib/logger/system';
@@ -126,7 +127,7 @@ const customSoundsEndpoints = API.v1
 
 			const filter = {
 				...query,
-				...(name ? { name: { $regex: escapeRegExp(name as string), $options: 'i' } } : {}),
+				...(name ? { name: { $regex: escapeRegExp(name), $options: 'i' } } : {}),
 			};
 
 			const { cursor, totalCount } = CustomSounds.findPaginated(filter, {

@@ -0,0 +1,71 @@
+import { LoginCodes } from '@rocket.chat/models';
+import { ajv, validateBadRequestErrorResponse, validateUnauthorizedErrorResponse } from '@rocket.chat/rest-typings';
+import type { JSONSchemaType } from 'ajv';
+import { Accounts } from 'meteor/accounts-base';
+
+import type { ExtractRoutesFromAPI } from '../ApiClass';
+import { API } from '../api';
+
+const loginCodeRedeemResponse = ajv.compile<{ loginToken: string; userId: string }>({
+	type: 'object',
+	properties: {
+		loginToken: { type: 'string' },
+		userId: { type: 'string' },
+		success: { type: 'boolean', enum: [true] },
+	},
+	required: ['loginToken', 'userId', 'success'],
+	additionalProperties: false,
+});
+
+type LoginCodeRedeemParams = { code: string };
+
+const LoginCodeRedeemSchema: JSONSchemaType<LoginCodeRedeemParams> = {
+	type: 'object',
+	properties: {
+		code: { type: 'string', minLength: 64, maxLength: 64 },
+	},
+	required: ['code'],
+	additionalProperties: false,
+};
+
+const isLoginCodeRedeemParamsPOST = ajv.compile<LoginCodeRedeemParams>(LoginCodeRedeemSchema);
+
+const loginCodeEndpoints = API.v1.post(
+	'loginCode.redeem',
+	{
+		authRequired: false,
+		body: isLoginCodeRedeemParamsPOST,
+		rateLimiterOptions: { intervalTimeInMS: 60000, numRequestsAllowed: 10 },
+		response: {
+			200: loginCodeRedeemResponse,
+			400: validateBadRequestErrorResponse,
+			401: validateUnauthorizedErrorResponse,
+		},
+	},
+	async function action() {
+		const { code } = this.bodyParams;
+
+		const loginCode = await LoginCodes.findOneNotExpiredByCodeAndDelete(code);
+
+		if (!loginCode) {
+			return API.v1.failure('error-invalid-code');
+		}
+
+		const { userId } = loginCode;
+
+		const stampedToken = Accounts._generateStampedLoginToken();
+		await Accounts._insertLoginToken(userId, stampedToken);
+
+		return API.v1.success({
+			loginToken: stampedToken.token,
+			userId,
+		});
+	},
+);
+
+type LoginCodeEndpoints = ExtractRoutesFromAPI<typeof loginCodeEndpoints>;
+
+declare module '@rocket.chat/rest-typings' {
+	// eslint-disable-next-line @typescript-eslint/naming-convention, @typescript-eslint/no-empty-interface
+	interface Endpoints extends LoginCodeEndpoints {}
+}
@@ -181,15 +181,25 @@ API.v1.get(
 	},
 	async function action() {
 		const oAuthServicesEnabled = await LoginServiceConfigurationModel.find({}, { projection: { secret: 0 } }).toArray();
+		const isPassportFlowEnabled = settings.get<boolean>('Accounts_OAuth_Use_Modern_Flow');
 
 		return API.v1.success({
 			services: oAuthServicesEnabled.map((service) => {
 				if (!service) {
 					return service;
 				}
 
-				if ((service as OAuthConfiguration).custom || (service.service && ['saml', 'cas', 'wordpress'].includes(service.service))) {
-					return { ...service };
+				//	CAUTION: Never hide sign-in with apple button from mobile app.
+				if (service.service && ['apple'].includes(service.service)) {
+					return { ...service, hideButtonOnMobile: false };
+				}
+
+				if (service.service && ['saml', 'cas', 'ldap'].includes(service.service)) {
+					return { ...service, hideButtonOnMobile: false };
+				}
+
+				if ((service as OAuthConfiguration).custom || (service.service && service.service === 'wordpress')) {
+					return { ...service, hideButtonOnMobile: isPassportFlowEnabled };
 				}
 
 				return {
@@ -203,6 +213,7 @@ API.v1.get(
 					buttonColor: service.buttonColor || '',
 					buttonLabelColor: service.buttonLabelColor || '',
 					custom: false,
+					hideButtonOnMobile: isPassportFlowEnabled,
 				};
 			}),
 		});